From ametzler at bebt.de Sat May 2 12:42:54 2026 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 2 May 2026 13:42:54 +0200 Subject: Bug#1135538: trixie-pu: package exim4/4.98.2-1+deb13u1 Message-ID: Package: release.debian.org Severity: normal Tags: trixie Control: affects -1 + src:exim4 User: release.debian.org at packages.debian.org Usertags: pu Hello, after discussion with the security team I would like to fix a couple CVEs and unrelated to that a interoperability issue via stable/oldstable uploads: a) All the CVE fixes from the recent security update 4.99.2: * CVE-2026-40684 Possible crash with malicious DNS data when using musl libc ... While we do not use musl libc, it is small contained patch, so I would still prefer to inculde it. * CVE-2026-40685 Possible OOB read/write on corrupt JSON in header configurations using json operators on invalid externally-provided input could trigger heap corruption. As far I understand this also does not hit our binaries, since we do not build with JSON looks enabled. Howver users can build private packages from our sources. One-line change. * CVE-2026-40686 Possible OOB read with large UTF8 trailing character ... Another tiny change, applies to Debian. * CVE-2026-40687 Possible OOB read/write with SPA authenticator. This is client side and needs a hostile/compromised external counterpart. This patch is rather big and required some handholding to apply. b) Fix GnuTLS hostname verify of a server certificate with a zero-length Subject. These are now being handed out by LetsEncrypt; note that this means they carry no DN (as well as no SN, that having decreed deprecated in favour of SANs). This is also a small change and something our DSA would appreciate. Upstream discussion starts here: https://lists.exim.org/lurker/message/20260413.184322.ecbabb9e.en.html TIA, cu Andreas -- "You people are noisy," Nia said. I made the gesture of agreement. -------------- next part -------------- A non-text attachment was scrubbed... Name: 13trixie.diff Type: text/x-diff Size: 21441 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: